help in creating digital cetificate
We are planning to create our own CA by using ikeyman from IBM . At the same time we want create a different Digital Certificates for each client so that they can use the certificate to talk to our server.
I wrote a java program to do this , but i am not sure this is the correct way ..Please help me in assisting
I don't know how to sign the certificate by CA programatically
Thanks
srinivas
import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.*;
import java.security.spec.*;
import java.io.*;
import java.util.*;
import java.math.*;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class ClientCertificates {
static X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
static MessageDigest digester;
static int counter =1;
public static void main (String[] args) throws Exception {
Security.addProvider(new BouncyCastleProvider());
digester = MessageDigest.getInstance("MD5");
KeyStore serverKeyStore = KeyStore.getInstance("JKS");
// String keystoreFile = "FileTransfer.privateKS";
FileInputStream fis;
KeyStore ks1 = null;
KeyPairGenerator KPGen = null;
try {
ks1 = KeyStore.getInstance("JKS");
String keyPass = "startnow";
char[] pwd = keyPass.toCharArray();
fis = new FileInputStream("server.jks");
ks1.load(fis,pwd);
Enumeration e = ks1.aliases();
while(e.hasMoreElements())
{
System.out.println((String)e.nextElement());
}
X509Certificate cert = (X509Certificate)ks1.getCertificate("server");
X509Certificate clientCert = createClientCert();
ks1.setCertificateEntry("client"+counter,clientCert);
fis.close();
FileOutputStream fos = new FileOutputStream("server.jks");
ks1.store(fos,pwd);
fos.close();
} catch (FileNotFoundException e) {
}
}
public static X509Certificate createClientCert()
throws Exception
{
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
kpGen.initialize(1024);
KeyPair kpair = kpGen.generateKeyPair();
//
// issuer
//
String issuer = "CN=oagserver.csnt.csnet.gov, O=oagserver.csnt.csnet.gov, C=US";
//
// subjects name table.
//
Hashtable attrs = new Hashtable();
Vector order = new Vector();
counter++;
attrs.put(X509Principal.C, "reddy"+counter);
attrs.put(X509Principal.O, "reddy"+counter+".csnt.csnet.gov");
attrs.put(X509Principal.L, "oag");
attrs.put(X509Principal.CN, "reddy"+counter+".csnt.csnet.gov");
attrs.put(X509Principal.EmailAddress, "testing@tester.org");
order.addElement(X509Principal.C);
order.addElement(X509Principal.O);
order.addElement(X509Principal.L);
order.addElement(X509Principal.CN);
order.addElement(X509Principal.EmailAddress);
v3CertGen.setSerialNumber(BigInteger.valueOf(20));
v3CertGen.setIssuerDN(new X509Principal(issuer));
v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30));
v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30)));
v3CertGen.setSubjectDN(new X509Principal(order, attrs));
v3CertGen.setPublicKey(kpair.getPublic());
v3CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
X509Certificate cert = v3CertGen.generateX509Certificate(kpair.getPrivate());
cert.checkValidity(new Date());
printDigest(cert);
return cert;
}
static void printDigest(X509Certificate certi) {
byte[] sig = certi.getSignature();
digester.update(sig);
byte[] digest = digester.digest();
for(int i = 0; i< digest.length; i++)
System.out.print(digest);
System.out.println();
}
}